21-48
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 21 Managing Zone-based Firewall Rules
Configuring Settings for Zone-based Firewall Rules
For the purposes of this discussion, the most interesting of these commands is policy-map, which is used
to apply your zone policy for each pair of zones. That is, for any given zone-pair, all rules defining traffic
(classes) and actions are applied within one policy-map. Further, Security Manager appends the current
class-default class to the end of each policy-map’s class list to capture any packets not processed by a
zone rule.
The default class-default is drop—appending this class to each policy-map is how the implicit dropping
of traffic between zones is accomplished. However, as mentioned, you can change this default behavior
for any zone-pair. For example, you might elect to pass all unmatched traffic, or you might change the
default to drop and log so you can determine what traffic is not being matched by your existing rules.
Note The only options for the default behavior are Drop, Drop and Log, Pass, and Pass and Log.
If you want the default policy to continue to drop packets, you do not have to do anything in Security
Manager. This rule is generated automatically. If you do want to change the default behavior for a
zone-pair, you must provide a Permit any any IP rule (that is, Match: Permit; Sources: any;
Destinations: any; Services: IP in the Adding and Editing Zone-based Firewall Rules, page 21-59), with
Drop and Log, Pass, or Pass and Log as the chosen Action. You must also ensure that this rule appears
last in the list of rules for a zone pair. Security Manager interprets this as the intended class-default rule.
If your zone-based rules table includes a large number of rules, it might be difficult to ensure that this
rule comes after all other rules for a zone pair. Here are a couple of techniques you can use to alleviate
this:
Use sections to organize the table, with one section per zone-pair. This will make it easier for you
to order the rules for a zone-pair, as well as ensuring that the class-default rule comes last. For more
information on working with sections, see Using Sections to Organize Rules Tables, page 12-20.
Create a shared zone-based rules policy that includes the class-default rule in the Default scope, and
inherit this rule in the device’s local zone-based rule policy. For more information on inheritance
and creating shared policies, see Inheriting or Uninheriting Rules, page5-43 and Creating a New
Shared Policy, page 5-51.
Configuring Settings for Zone-based Firewall Rules
Use the Zone Based Firewall settings page to: identify unreferenced zones; specify a zone for VPN
interfaces; enable or disable WAAS support; maintain Trend Micro server and certificate information;
and specify global Log settings on supported ASR devices.
Related Topics
Zone Based Firewall Page, page 21-49
Understanding the Zone-based Firewall Rules, page 21-3
Step 1 Access the Zone Based Firewall Page, page 21-49 as follows:
(Device view) Select an IOS device and then select Firewall > Settings > Zone Based Firewall
from the Policy selector.
(Policy view) Select Firewall > Settings > Zone Based Firewall from the Policy Type selector.
Select an existing policy or create a new one.
Step 2 (Optional) On the Zones tab: add, edit and delete unreferenced zones.